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2. Generic AAA Architecture 



For the long term we envision a generic AAA server which is capable 
of authenticating users, handling authorization requests, and 
collecting accounting data. For a service provider, such a generic 
AAA server would be interfaced to an application specific module 
which manages the^ resource for which authorization is required. 
Generic AAA components would also be deployed in other administrative 
domains performing authorization functions. 

2.1. Architectural Components of a Generic AAA Server 
2.1.1. Authorization Rule Evaluation 



The first step in the authorization process is for the user or an 
entity operating on the user's behalf to submit a well-formatted 
request to an AAA server. A generic AAA server has rules (logic 
and/or algebraic formulas) to inspect the request and come to an 
authorization decision. The first problem which arises is that 
implication Specific Information (ASI) has to be separated from the 
underlying logic for the authorization. Ideally the AAA server would 
have a rule based engine at this point which would know the logic 
rules and understand some generic information in the request, but it 
would not know anything about application specific information except 
where this information can be evaluated to give a boolean or 
numerical value. It should be possible to create rules that refer to 
data elements that were not considered when the application was 
created. For example, one could request to do a remote virtual 
control room experiment from home using a dialin provider. The 
request would only be successful if the dialin access server allows 
it and if there is bandwidth available (bandwidth broker) and if the 
experimenter has the money to pay for it (E-Commerce) . Possibly the 
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people who specified the bandwidth broker protocol did not think of 
combining quality of service with a network service authorization in 
a single AAA request, but this generic model would allow it. 




auth 



<-- 



->l 
I 

+- 



AAA 



auth 



l<- 
I 



+ - 
I 

->l 
I 

+- 

+ - 
I 

+- 



AAA 



BB 



-+ +- 
I auth I 
|< >| 

I I 
-+ +- 



+- 
I 

+- 



AAA 



BB 



-+ 
I 

l<- 
I 

-+ 

-+ 
I 

-+ 



auth 



"->l 
I 

+- 



AAA 



I Budget 



-+ 
I 
I 
I 

-+ 

- + 
I 

-+ 



+ + I I 

I dial in I + + + + 

=> I service | <====> | network | <====> | network | <===> Experiment 
+ + + + + + 



user <-> dialin <-> backbone with BB <-> <remote experiment> 
Fig. 1 — Example of a Multi Domain Multi Type of Server Request 



2.1.2. Application Specific Module (ASM) 

Ultimately an AAA server needs to interact with an application 
specific module (ASM) . In a service provider, the ASM would manage 
resources and configure the service equipment to provide the 
authorized service. It might also involve itself in the 
authorization decision because it has the applica'tion specific 
knowledge required. A user home organization (UHO) may require ASMs 
as well, to perform application specific user authorization 
functions. For example, a UHO ASM might be required to access 
certain application specific databases or interpret application 
specific service level specifications. 

Whatever the role of an administration relative to an authorization 
decision, the capabilities of the generic AAA server and the 
interface between it and the ASMs remains the same. This interface 
may be an Application Program Interface (API) or could even be a 
protocol based interface. In this model, however, the application 
specific module is regarded as as separate architectural component 
from the generic AAA server. As such, it must be addressable and 
must therefore be part of a global naming space. 

2.1.3. Authorization Event Log 

For auditing purposes, the generic server must have some form of 
database to store time-stamped events which occur in the AAA server. 
This database can be used to account for authorizations which were 
given, but it can also be used in rules. One can imagine rules in 
which an authorization is only given if some other event was logged 
in the past. With the aid of certificates, this database could 
support non-repudiation. 

2.1.4. Policy Repository 
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A database containing the available services and resources about 
which authorization decisions can be made and the policy rules to 
make them is also needed. Here too, the naming space for the 
services and resources is important since they must be addressable 
from other AAA servers to be able to build complex authorization 
requests . 

2.1.5. Request Forwarding 

Due to the multiple administrative domain (multi-kingdom) nature of 
the AAA problem, a mechanism to forward messages between AAA servers 
is needed. The protocol by which two AAA servers communicate should 
be a peer-to-peer protocol. 

2.2. Generic AAA Server Model 

with the implementation of the above mentioned components, the AAA 
server would be able to handle AAA requests. It would inspect the 
contents of the request, determine what authorization is requested, 
retrieve the policy rules from the repository, perform various local 
functions, and then choose one of the following options to further 
process each of the components of the request: 

a) Let the component be evaluated by an attached ASM. 

b) Query the authorization event log or the policy repository for the 
answer . 

c) Forward the component (s) to another AAA server for evaluation, 
In the following sections we present the generic model. 

2.2.1. Generic AAA Server Interactions 

Figure 2 illustrates a generic AAA Server with connections to the 
various architectural components described above. In this model, the 
user or another AAA server contacts the AAA server to get 
authorization, and the AAA server interacts with the service. The 
request is sent to the AAA server using the future AAA protocol. The 
server interacts with the service via a second protocol which we have 
labeled as type "2" in the figure. We say no more of the type 2 
protocol than that it must support some global naming space for the 
application specific items. The same holds for the type 3 
communication used to access the repository. 

+ + 

I I 

request < 1 >| Generic AAA Server |< 1 > AAA server 

I Rule based engine I 
I l\ 

+ + 3 + + 

^ \ I Policy and | 

1 I event | 

2 I repository | 



V 

+ + 



http:// 1 39 51 1 /se rch q c che: uDl x twJ : www zvon org/tm FC 5/ / 



Zvon - RFC 2903 [Gen^ AAA Architecture] - Generic Architect... Page 4 of 7 



I Application i 
I Specific I 
I Module I 
+ + 

The numbers in the links denote types of cornmunication. 

Fig. 2 -- Generic AAA Server Interactions 

2.2.2. Compatibility with Legacy Protocols 

Because of the widespread deployment of equipment that implements 
legacy AAA protocols and the desire to realize the functionality of 
the new AAA protocol while protecting the investment in existing 
infrastructure, it may be useful to implement a AAA gateway function 
that can encapsulate legacy protocol data units within the messages 
of the new protocol. Use of this technique, for example, would allow 
Radius attribute value pairs to be encapsulated in Application 
Specific Information (ASI) units of the new protocol in such a way 
that the ASI units can be digitally signed and encrypted for end-to- 
end protection between a service provider's AAA server and a home AAA 
server communicating via a marginally trusted proxy AAA server. The 
service provider's NAS would communicate via Radius to the service 
provider's AAA server, but the AAA servers would communicate among 
themselves via the new AAA protocol. In this case, the AAA gateway 
would be a software module residing in the service provider's AAA 
server. Alternatively the AAA gateway could be implemented as a 
standalone process. 

Figure 3 illustrates an AAA gateway. Communication type 4 is the 
legacy protocol. Communication type 1 is the future standard AAA 
protocol. And communication type 2 is for application specific 
communication to implication Specific Modules (ASMs) or Service 
Equipment . 

+ + 

I AAA |< 1 > to AAA server as in fig. 2 

request < 4 >|GateWay| 

I |< 2 > optionally to ASM/service 

+ + 

The numbers in the links denote types of communication. 

Fig. 3 — AAA Gateway for Legacy AAA Protocols 

2.2.3. Interaction between the ASM and the Service 

In a service provider, the ^plication Specific Module (ASM) and the 
software providing the service itself may be tightly bound into a 
single "Service ^plication". In this case, the interface between 
them is just a software interface. But the service itself may be 
provided by equipment external to the ASM, for example, a router in 
the bandwidth broker application. In this case, the ASM communicates 
with the service via some protocol. These two possibilities are 
illustrated in figure 4. In both cases, we have labeled the 
communication between the ASM and the service as communication type 
5, which of course, is service specific. 
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+ 1 — 

Service 2 
implication I 

+ 4- 

I ^plication I 
I Specific I 
I Module I 
+ + 

I 

5 
I 

+ + 

I Service | 



I 
I 

2 
I 

+ + 

I Application I 

I Specific I 

I Module I 
+ + 

I 

5 
I 

+ + 

I Service | 
I Equipment | 
+ + 



Fig. 4 — ASM to Service Interaction (two views) 



2.2.4. Multi-domain Architecture 



The generic AAA server modules can use communication type 1 to 
contact each other to evaluate parts of requests. Figure 5 
illustrates a network of generic AAA servers in different 
administrative domains communicating via communication type 1, 



+ + 

o I AAA I >. . . 

/ I I 

/ + + \ 

/ I \+ + 

/ + + I RP I 

/ I ASM I + + 

+ + + + / I I 

I Client I I AAA | o + + 

+ + I I \ 

+ + \ 

I + + \ + + 

+ + I RP I o I AAA I >. . . 

I ASM I + + I I 

I I + +\ 

+ + I \+ + 

+ + I RP I 

I ASM I + + 

I I 
+ + 



The AAA servers use only communication type 1 to communicate. 
ASM = -implication Specific Module 
RP = Repository 

Fig. 5 — Multi-domain Multi-type of Service Architecture 



2.3. Model Observations 



Some key points of the generic architecture are: 
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1) The same generic AAA server can function in all three 
authorization models: agent, pull, and push [2]. 

2) The rule based engine knows how to evaluate logical formulas and 
how to parse AAA requests. 

3) The Generic AAA server has no knowledge whatsoever about the 
application specific services so the application specific 
information it forwards is opaque to it. 

4) Communication types 1, 2, and 3 each present their own naming 
space problems. Solving these problems is fundamental to 
forwarding AAA messages, locating application specific entities, 
and locating applicable rules in the rule repositories. 

5) A standard AAA protocol for use in communication type 1 should be 
a peer-to-peer protocol without imposing client and server roles 
on the communicating entities. 

6) A standard AAA protocol should allow information units for 
multiple different services belonging to multiple different 
applications in multiple different administrative domains to be 
combined in a single AAA protocol message. 

2.4. Suggestions for Future Work 

It is hoped that by using this generic model it will be feasible to 
design a AAA protocol that is "future proof", in a sense, because 
much of what we do not think about now can be encoded as application 
specific information and referenced by policy rules stored in a 
policy repository. From this model, some generic requirements arise 
that will require some further study. For example, suppose a new 
user is told that somewhere on a specific AAA server a certain 
authorization can be obtained. The user will need a AAA protocol 
that can: 

1) send a query to find out which authorizations can be obtained from 
a specific server, 

2) provide a mechanism for determining what components must be put in 
an AAA request for a specific authorization, and 

3) formulate and transmit the authorization request. 

Some areas where further work is particularly needed are in 
identifying and designing the generic components of a AAA protocol 
and in determining the basis upon which component forwarding and 
policy retrieval decisions are made. 

In addition to these areas, there is a need to explore the management 
of rules in a multi-domain AAA environment because the development 
and future deployment of a generic multi-domain AAA infrastructure is 
largely dependent on its manageability. Multi-domain AAA 
environments housing many rules distributed over several AAA servers 
quickly become unmanageable if there is not some form of automated 
rule creation and housekeeping. Organizations that allow their 
services to be governed by rules, based on some form of commercial 
contract, require the contract to be implemented with the least 
possible effort. This can, for example, be achieved in a scalable 
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fashion if the individual user or user organization requesting a 
service is able to establish the service itself. This kind of 
interaction requires policy rule establishment between AAA servers 
belonging to multiple autonomous administrative domains. 



ZVON > RFC Repository > RFC 2903 



Frontpage / Contents 

Prev I Next | RFC index | RFC search |Web Hosting UK| 



Related sites: 

• VisualBuiider.com - Java, JSP, 
ASP, XML scripting languages, 

• TopXML- XML Tutorials, 
MS.NET XML Tutorials 

• Tele-Tips Forum - Software and 
hardware forums for computer 
professionals 

• SitePoint - Articles - web 
design, client side and server 
side coding 



• Programmers Heaven - 

Assembler, Basic, C/C++, C#, 
Delphi & Kylix, Java, ... 

• ASP Alliance - ASP, ASP.NET, 
ADO.NET, C#, JScript, 
VBScript, VB.Net 

• DevelopersDex - ASP, C#, 
SQL, VB, XML 

• Developer Fusion - Free VB, 
ASP, .NET and C++ tutorials 
and source code 



• DevGuru - ADO, ASP, 
CSS2, HTML, Javascript, 
JetSQL, VBScript, WML, 
XML, ... 

• Code Project - Free C++, 
C# and .NET articles, code 
snippets, discussions, news 



gateway laptop 
digital camera 
personal injury 
online casino 



digital camera equipment 
Comparison Shopping 
Prime Interest Rates 
online casinos 



hp laptop & printers 
DiscountCamera 
classic books 



aldo shoes 
Discount Video Store 
Personal Injury Lawyers 



http:// 1 39 51 1 /se rch q c che^ uDl x twJ : www zvon org/tm FC 5/ / 



Your Search Results 


• 




• 




Page 1 of 1 




RFC-ED 
HOME 


NEWS 


II 

Jj DATABASE 


1 SEARCH 1 


RFC II 
ERRATA ||_ 


l-D 
SEARCH 


IETF 
HOME 



m 



Perform Another Search : 



Imoblle aaa authentication authorizs MS:^IR®!lSil 



Search for JA" Fields [g| Results Per Page: 
[25"1 

RFC File: ® ASCII+ O All PDF 



Search : ® All O RFC O STD O 
BCP O FYI 
Match: ® Prefix O Entire Word 
Show Abstract: OOn ©Off 
Show Keywords: OOn ®Off 
Result Order : ® Descending O 
Ascending 
RFC Contents Via: ® FTP O HTTP 



o Based on your search of [mobile aaa authentication authorization accounting] in the 
All Fields field 1 matches were found 



Number 


Title 


Author or 
Ed. 


Date 


Format 


More Info 
(Obs&Upd) 


Status 


RFC2977 


MobUe IP 
Authentication, 
Authorization, and 
Accounting 
Requirements 


S. Glass, T. 
ffiUer, S. 
Jacobs, C. 
Perkins 


October 
2000 


ASCII 




INFORMATIONAL 



http://www rfc-e itor org/cgi- in/rfcse rch pi 



5/ 8/ 



Your Search Results 



Page 1 of 1 



RFC-ED 
HOME 


NEWS 


RFC 
DATABASE 


RFC 
SEARCH 


RFC 
ERRATA 


l-D 
SEARCH 


IETF 
HOME 






mm 





Perform Another Search : 




jmobile home foreign aaa authentid pSMS6]SHlB| 


Search : ® All O RFC C STD O 

BCP O FYI 
Match : ® Prefix O Entire Word 
Show Abstract: OOn ® Off 
Show Keywords: OOn ®Off 
Result Order : ® Descending O 

Ascending 
RFC Contents Via: ® FTP O HTTP 


Search for :|aii Fields g| Results Per Page: 
|25 S 

RFC File: ® ASCII+ O All PDF 









o Based on your search of [mobile home foreign aaa authentication authorization 
accounting] in the All Fields field zero matches were made. 

Sony, please try again. 



http://www rfc-e itor org/cgi- in/rfcse rch pi 



5/ 8/ 



